From owner-freebsd-security Wed Feb 14 10:40:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id EDCF337B491 for ; Wed, 14 Feb 2001 10:40:12 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.2/8.11.2) with ESMTP id f1EIdUp27509; Wed, 14 Feb 2001 13:39:30 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 14 Feb 2001 13:39:30 -0500 (EST) From: Rob Simmons To: Kris Kennaway Cc: Ragnar Beer , freebsd-security@FreeBSD.ORG Subject: Re: security settings documentation In-Reply-To: <20010214092909.B72301@mollari.cthul.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Default System Security Profile Extreme ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" portmap_enable="NO" sendmail_enable="NO" sshd_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="2" At this level the following services are disabled: inetd portmap sendmail sshd NFS The kernel securelevels are enabled and raised to level 2 --------------------------------------------------------- High ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="NO" sendmail_enable="YES" sshd_enable="YES" portmap_enable="NO" nfs_server_enable="NO" kern_securelevel_enable="YES" kern_securelevel="1" At this level the following services are disabled: inetd portmap NFS Kernel securelevel is enabled and raised to level 1 --------------------------------------------------------- Medium ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" sshd_enable="YES" If the machine has been setup as a NFS client or server: portmap_enable="YES" If the machine has not been setup as a NFS server: nfs_reserved_port_only="YES" At this level the following services are enabled: inetd sendmail sshd Depending on whether the machine is setup as a NFS client or server: Client: portmap Server: portmap and NFS is only provided on a secure port Kernel securelevel is not enabled --------------------------------------------------------- Low ========================================================= Adds the following settings to /etc/rc.conf inetd_enable="YES" sendmail_enable="YES" portmap_enable="YES" sshd_enable="YES" At this level the following services are enabled: inetd sendmail portmap sshd Kernel securelevel is not enabled --------------------------------------------------------- Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 14 Feb 2001, Kris Kennaway wrote: > On Wed, Feb 14, 2001 at 12:10:04PM -0500, Rob Simmons wrote: > > Read the man page for init(8) > > No, that's not it - he's talking about the "low/medium/high" settings > in sysinstall. I don't think a good documentation source really > exists at the moment - you should check the code in > /usr/src/releases/sysinstall/config.c and look at the rc.conf > variables it sets. > > Then write up some documentation for us and send it to doc@freebsd.org > :-) > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message